File name The NTFS and FAT file
File systems is a data store or recover area of a computer system, depend to the operation system version it may have FAT (File Allocation Table)or NTFS(New Technology file system).compare with FAT and NTFS file system there are many feature difference, I’d like category this differences in file structure, Storage Mechanisms and file name, file date and time, security feature
Depend to the array bit of the entries in the actual FAT structure on the disk. FAT file system have three different versions FAT 12, FAT 16, FAT 32. There are three major physical layout components of FAT file system:
Reserved area(volume boot sector)- include the data in the file system category
FAT(file allocation table) – contain the primary and backup FAT structure
data area- contain the cluster which allocated store file and directory content
by default there normally two FATs(FAT1 and FAT2) in a file system but the exact number of FAT and total size of FAT need determine in the boot sector. For the digital forensic investor to identify the file name, size, start address of the file content and other metadata, the investor need check the directory entry in the file allocate table
NTFS is most common file system for the windows PC, compare to FAT file system NTFS have many new feature. NTFS have better metadata support,data structure than FAT file system, all the important data of NTFS is allocated as files not have special layout like FAT file system, the first 16 sectors is boot record which include the boot cord, disk signatures and table of primary partitions is the important file for the digital forensic investor to identify the device partitions. The center of the NTFS file system is the MFT (Master File Table) which similar to the FAT directory enter, it keep the record all the file and folder in the NTFS volume,any file name start with $ are MFT stored metadata file. The $Bitmap is similar to the FAT1 and FAT2 in the FAT file system. The following table showing the major system file of NTFS system and their functions.
Master file table, each MFT record is 1024 bytes long
Backup of MFT
The file used for system recovery and interity
Identify information about NFT version and volume name
Track the allocation of eight cluster
Contain the partition boot sector and boot code
Bad cluster information of the partition
Secure information of the file
Storage Mechanisms and file name
The NTFS and FAT file system both keep the data in the cluster, but the NTFS use smaller cluster size which means the NTFS can store data. As we discuss before NTFS use Master file Table but FAT use directory entries and file allocation table, when the forensics investor exam the NFTS disk they can find file information for the 0 sector. But with the FAT file system the data won’t be record after reserved area and FAT areas, also same extract sector after data area when the forensic investor exam FAT file system they need check the hide data in these sector.
NTFS store in the MFT(master file table), there are 3 attribute important for the forensic investigation $STAND_INFORMATION, $FILE_NAME and $DATA attribute. All the file name and directory information are in these three attribute. In FAT file system all the file will save under long file name
File date and time
NTFS store the file date and time in UTC ( Coorfinated Universal Time) but FAT store the file on computer local time.
FAT file system was not design for encryption form internal, the only way can secure is using external program. Compare with FAT file system NTFS have been improve their security system, NFTS have access control and file encryption. The file only can be access when the user has been login.